Amazon VPC Flow Logs

When you configure Amazon VPC Flow Logs to send log data to USM Anywhere, you can use the VPC Flow Logs plugin to translate the raw log data into normalized events for analysis.

Device

Details

Vendor

Amazon

Device Type

Cloud Infrastructure

Connection Type

AWS CloudWatch

Integrating Amazon VPC Flow Logs

VPC Flow Logs is a feature that lets you capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs, so you must first enable CloudWatch in your AWS environment and set up a new CloudWatch Collection job in AWS to transport log files from your VPC environment to a place where USM Anywhere can access them.

To create a flow log, you specify the flow log resource, the type of traffic to capture (accepted traffic, rejected traffic, or all traffic), and the name of a log group in CloudWatch Logs where the flow log will be published. Flow logs do not capture all types of IP traffic. The following types of traffic are not logged:

After you've created a flow log, you can work with flow log records the same as any other log events collected by CloudWatch Logs.

Plugin Enablement

When you set up a new CloudWatch log collection job, you select an associated plugin for the collection job; in this case, the VPC Flow Logs plugin. This enables the plugin when USM Anywhere runs the CloudWatch log collection job.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.